other programs that use these command line option and accepts an 'all' parameter

t1059
t1059.001
t1069
t1069.001
t1069.002
t1087
t1087.001
t1087.002
t1482
windows
sigma

Techniques

t1059
t1059.001
t1069
t1069.001
t1069.002
t1087
t1087.001
t1087.002
t1482

Sample rules

HackTool - Bloodhound/Sharphound Execution

source: sigma
technicques:
- t1059
- t1059.001
- t1069
- t1069.001
- t1069.002
- t1087
- t1087.001
- t1087.002
- t1482

Description

Detects command line parameters used by Bloodhound and Sharphound hack tools

Detection logic

condition: 1 of selection_*
selection_cli_1:
  CommandLine|contains:
  - ' -CollectionMethod All '
  - ' --CollectionMethods Session '
  - ' --Loop --Loopduration '
  - ' --PortScanTimeout '
  - '.exe -c All -d '
  - Invoke-Bloodhound
  - Get-BloodHoundData
selection_cli_2:
  CommandLine|contains|all:
  - ' -JsonFolder '
  - ' -ZipFileName '
selection_cli_3:
  CommandLine|contains|all:
  - ' DCOnly '
  - ' --NoSaveCache '
selection_img:
- Product|contains: SharpHound
- Description|contains: SharpHound
- Company|contains:
  - SpecterOps
  - evil corp
- Image|contains:
  - \Bloodhound.exe
  - \SharpHound.exe